cfripper
v1.16.0
CFRIPPER는 AWS CloudFormation 템플릿 용 라이브러리 및 CLI 보안 분석기입니다. CFRIPPER를 사용하여 불안한 AWS 리소스를 클라우드 환경에 배포하는 것을 방지 할 수 있습니다. 새로운 사용자 정의 플러그인을 추가하여 자신의 규정 준수 점검을 작성할 수 있습니다.
문서 및 자세한 내용은 https://cfripper.readthedocs.io/에서 제공됩니다.
$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
- FullWildcardPrincipalRule: rootRole should not allow full wildcard ' * ' , or wildcard in account ID like ' arn:aws:iam::*:12345 ' at ' * '
- IAMRolesOverprivilegedRule: Role ' rootRole ' contains an insecure permission ' * ' in policy ' root '
Analysing /tmp/root_bypass.json...
Valid: True$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt --resolve
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
- FullWildcardPrincipalRule: rootRole should not allow full wildcard ' * ' , or wildcard in account ID like ' arn:aws:iam::*:12345 ' at ' * '
- IAMRolesOverprivilegedRule: Role ' rootRole ' contains an insecure permission ' * ' in policy ' root '
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
- IAMRolesOverprivilegedRule: Role ' rootRole ' contains an insecure permission ' * ' in policy ' root '
Monitored issues found:
- PartialWildcardPrincipalRule: rootRole contains an unknown principal: 123456789012
- PartialWildcardPrincipalRule: rootRole should not allow wildcard, account-wide or root in resource-id like ' arn:aws:iam::12345:root ' at ' arn:aws:iam::123456789012:root '$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format json --resolve --output-folder /tmp
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root.yaml.cfripper.results.json
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root_bypass.json.cfripper.results.json$ cfripper tests/test_templates/config/security_group_firehose_ips.json --rules-config-file cfripper/config/rule_configs/example_rules_config_for_cli.py
Analysing tests/test_templates/config/security_group_firehose_ips.json...
Valid: True$ cfripper tests/test_templates/config/security_group_firehose_ips.json --rules-filters-folder cfripper/config/rule_configs/
example_rules_config_for_cli.py loaded
Analysing tests/test_templates/config/security_group_firehose_ips.json...
Valid: True """
Analyse AWS Cloudformation templates passed by parameter.
Exit codes:
- 0 = all templates valid and scanned successfully
- 1 = error / issue in scanning at least one template
- 2 = at least one template is not valid according to CFRipper (template scanned successfully)
- 3 = unknown / unhandled exception in scanning the templates
"""
